Re: [opensuse] Unusual traffic through eth0



On 12/03/12 11:33, Per Jessen wrote:
Bob Williams wrote:

On 12/03/12 09:54, Per Jessen wrote:
Bob Williams wrote:

Last night, I noticed a regular pattern of blips in gkrellm's eth0
monitor. There were no internet active programs, such as e-mail or
web browser running, so I started Wireshark to see what was
happening.

Apart from the expected chatter between this machine and the router,
the following two lines repeated over and over, and it is continuing
on rebooting the machine this morning:

Source Destination Protocol Info
217.14.132.183 192.168.1.14 SIP Status: 100
Trying (0 bindings)
217.14.132.183 192.168.1.14 SIP Status: 401
Unauthorized (0 bindings)

Is this entirely innocent, or should I contact abuse@Domainmaster
(see below)?

Perhaps not entirely innocent (SIP attempts for VoIP), but I would
have thought your firewall should be blocking such traffic?


Really? I do run skype from time to time, and have tried out ekiga, so
maybe the SIP protocol is allowed.

Skype is proprietary, I don't know what ekiga does. SIP is "Session
Initiation Protocol" for standard VoIP. My Asterisk telephone server
is regularly flooded by SIP requests, bordering on a DoS attack.

Ekiga is a SIP client.

The only services I have explicitly allowed in YaST Firewall
Configuration are Rsync server, Secure Shell server and xntp server.

I would expect that to mean that the SIP traffic is dropped or rejected.
Maybe check your firewall log.

Well, the firewall log gives much the same information as wireshark.
Although it's irritating, I don't think I'm vulnerable so I'll just
monitor things for the time being.

The last time something like this happened I was being attacked through
ssh port 22, but they were definitely trying a dictionary attack with
various username & password combinations.

All the above traffic seems to be one way, in other words, I never see
my machine sending a reply, I am always the destination, never the
source.

Maybe gkrellm is reporting on traffic before the firewall drops it.

Maybe

Thanks, Bob
--
Bob Williams
System: Linux 3.1.9-1.4-desktop
Distro: openSUSE 12.1 (x86_64) with KDE Development Platform: 4.7.2
(4.7.2) "release 5"
Uptime: 18:00pm up 5 days 0:29, 3 users, load average: 0.23, 0.15, 0.14
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx